Forum Discussion
Sensitivity Labels: Labeling Documents in OneDrive severly restricts sharing with external users
Hi everyone, i am currently implementing sensitivity labels for our org and this one thing is really holding me back. Previously, it was possible do create a word-document (or any file) in OneDrive, share it to an external gmail (or any other) address and let them access it after using an email OTP. Nice!
I have just recently created a set labels and assigned them to me in Purview. Most labels, including the one that is assigned to docs by default, do not apply any encryption. A label existing on a document still seems to make sharing way harder/impossible in certain scenarios:
Created a fresh gmail-address-->created a fresh word document with a default label (public, no sharing restrictions, no encryption)--> Shared said document to said gmail-address via Link --> opened link in private browser tab --> OTP-Verification happens --> Document opens up in browser, then IMMEDIATELY forwards me to our tenants login-page. There, the gmail address user obviously cant log in since he is not a guest and does not have an account. The fun part: You can (sometimes) use the browser "back" button to return to the document to read and edit.
This... can't be intended, right?
Research suggests to me that word for the web attempts to resolve the label, for which it has to access our tenant. It then fails since no tenant user is logged in and prompts me to do so.
When i use a gmail address, create a personal MS account, invite this account into my tenant as a guest, accept the request and share to that user, the user can work with the doc just fine after completing his steps. But this is way to much work for IMO.
Has anyone seen this issue? Did i misconfigure something? Has anyone found a solution or a reasonable workaround or are people just living with this loss of functionality? Do you think its just a bug and i should report it?
Try workarounds below:
1. Use Unlabeled Documents for External Sharing
If the document truly doesn’t need classification, consider removing the label entirely before sharing externally. This avoids triggering tenant resolution.
2. Create a Label Policy That Excludes External Sharing Scenarios
You can configure label policies to not apply labels by default to OneDrive content or to exclude external users from label enforcement. This requires careful scoping in Purview.
3. Use DLP Policies Instead of Labels for External Sharing Control
If your goal is to prevent sensitive data leaks, Microsoft recommends using Data Loss Prevention (DLP) policies for SharePoint and OneDrive instead of relying solely on sensitivity labels.
4. Guest Access as a Standard Practice
While it’s more work, onboarding external users as guests (via Azure AD B2B) is the most reliable way to ensure label resolution and document access. You can streamline this with automated guest invitation flows.
2 Replies
Hi Kidd_lp, thank you for your suggestion. Number 4 seems like the best solution. Microsoft is moving away from email OTP in favor of B2B accounts anyway, since they are more secure and offer additional benefits as well. I’m still a bit disappointed about this, but I’ve spoken with peers and they are also looking into it. it seems like all orgs i have talked to that implemented labels are suffering from this.
I’ll mark your comment as the solution, since I’m not sure whether this sharing behavior will be addressed by microsoft.
Again, thank you for your detailed reply!
Try workarounds below:
1. Use Unlabeled Documents for External Sharing
If the document truly doesn’t need classification, consider removing the label entirely before sharing externally. This avoids triggering tenant resolution.
2. Create a Label Policy That Excludes External Sharing Scenarios
You can configure label policies to not apply labels by default to OneDrive content or to exclude external users from label enforcement. This requires careful scoping in Purview.
3. Use DLP Policies Instead of Labels for External Sharing Control
If your goal is to prevent sensitive data leaks, Microsoft recommends using Data Loss Prevention (DLP) policies for SharePoint and OneDrive instead of relying solely on sensitivity labels.
4. Guest Access as a Standard Practice
While it’s more work, onboarding external users as guests (via Azure AD B2B) is the most reliable way to ensure label resolution and document access. You can streamline this with automated guest invitation flows.
